PURPOSE 

This policy outlines Grey Matta Solution’s (GMS) commitment to the privacy of personal information provided to us for the engagement of our professional services. We collect, and process personal information based on the consent provided by individuals or as required by law. The types of personal information that GMS collects may be names, addresses, email addresses, and phone numbers. 

Through the adoption of the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act), GMS refers to the APPs to govern how we collect, use, disclose, store, secure and dispose of your personal information. 

SCOPE 

This policy applies to all individuals who interact with GMS including clients, customers, and website visitors. 

Employees, contractors, and sub-contractors undertaking services for GMS.  This includes those engaged by sub-contractors to assist them in undertaking those services. 

This includes an employee of a labour-hire, work experience student, or volunteer.  

DEFINITIONS 

Multi factor authentication (MFA) 

This is multiple layer security. e.g., Criminals might manage to steal one proof of identity such as your password, but they still need to obtain and use the other proofs of identity to access your account. 

Penetration testing 

Processes and procedures designed to identify, verify, resolve, and report on security vulnerabilities 

Personally Identifiable information (PII) 

Any information that can directly or indirectly identify and individual 

RELATED DOCUMENTS & AUTHORITY 

- Australian privacy Principles (APPs) contained in the Privacy Act 1988 (cth) 

- Privacy Act 1988 (cth) and associated regulations 

- Data breach notifications laws or regulations 

- Industry-specific standards 

- Privacy Commissioner guidelines or recommendations 

Internal documents 

- Code of Conduct 

- Complaints Management Policy  

- Data Retention and Disposal Policy 

- Data Spill Management Guide 

- Disciplinary Action Procedure 

- Electronic Communication Policy 

- Information Security Policy 

ROLES AND RESPONSIILITIES 

Privacy and security of personal information is the responsibility of all those undertaking services for GMS as defined in the scope of this policy. 

INFORMATION  

 What is personal information?  

Personal information is information or an opinion that identifies an individual. Examples of personal information we collect include names, addresses, email addresses, and phone numbers. 

What is sensitive information? 

Sensitive information is defined in the Privacy Act 1988 to include information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record, or health information. 

Sensitive information will be used by us only: 

- For the primary purpose for which it was obtained 

- For a secondary purpose that is directly related to the primary purpose

- With your consent or where required or authorised by law. 

COLLECTION, DISCLOSURE AND ACCESS 

Why do we collect it? 

We collect your personal information for the primary purpose of providing our services to you, providing information to our clients and marketing. We may also use your personal information for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use or disclosure. You may unsubscribe from our mailing/marketing lists at any time by contacting us in writing. 

How do we collect it? 

Personal information is obtained in many ways including interviews, forms/applications, proposals, correspondence, telephone/mobile, by email, via our website, from media and publications, from other publicly available sources, from cookies, and from third parties. GMS does not guarantee website links or the policy of authorised third parties. 

GMS transparency 

When we collect personal information, where appropriate and where possible, we explain to you why we are collecting the information and how we plan to use it. 

Third Parties 

Where reasonable and practicable to do so, we collect your personal information only from you. However, in some circumstances, we may be provided with information by third parties. In such a case we take reasonable steps to ensure that you are made aware of the information provided to us by the third party. 

Disclosure of personal information 

Your personal information may be disclosed in some circumstances including the following: 

- Third parties where you consent to the use or disclosure; and

- Where required or authorised by law. 

Access to your personal information 

You may access the personal information we hold about you and update and/or correct it, subject to certain exceptions. If you wish to access your personal information, please contact us in writing. 

GMS will not charge any fee for your access request but may charge an administrative fee for providing a copy of your personal information. 

To protect your personal information, we may require identification from you before releasing the requested information. 

MAINTAINING QUALITY  

Maintaining the quality of your personal information 

It is important to us that your personal information is up to date. We will take reasonable steps to make sure that your personal information is accurate, complete, and up to date.  

If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you. 

INTERNATIONAL DATA 

GMS operates in multiple jurisdictions which may involve transfers of personal information across international borders and as a result GMS acknowledges and complies with relevant international data protection laws and regulations. This includes, but is not limited to, the General Data Protection Regulation (GDPR) in the European Union.  

GMS strives to ensure that all personal information is handled in accordance with applicable laws and regulations, regardless of the jurisdiction in which it is processed or stored. 

SECURITY 

Securing and managing your personal information 

Your personal information is stored in a manner that reasonably protects it from misuse, loss and unauthorised access, modification, or disclosure. 

When your personal information is no longer needed for the purpose for which it was obtained, we take reasonable steps to destroy or permanently de-identify your personal information. However, most of the personal information is or will be stored in client files which will be kept by us for a minimum of 7 years. 

Information Security considerations 

GMS, meaning those persons undertaking services for GMS as defined in the scope of this policy, are committed to ensuring the following considerations are managed and take appropriate and necessary measures to store personal information within GMS systems.  

GMS acknowledges the Australian Privacy Principle 11 that identifies the following as security considerations: 

 - Misuse – Personal information is misused if it is used in a way other than for which it was collected. 

- Interference - ‘Interference’ with personal information occurs where there is an attack on personal information that GMS holds that interferes with the personal information but does not

necessarily modify its content. ‘Interference’ includes an attack on a computer system that, for example, leads to exposure of personal information. 

- Loss - ‘Loss’ of personal information covers the accidental or inadvertent loss of personal information held by GMS. This includes if GMS: 

physically loses personal information, (including hard copy documents, computer equipment or portable storage devices containing personal information), for example, by leaving it in a public place, or electronically loses personal information, such as failing to keep adequate backups of personal information in the event of a systems failure. 

Loss may also occur because of theft following unauthorised access or modification of personal information or because of natural disasters such as floods, fires, or power outages. 

However, it does not apply to intentional destruction or de-identification of that personal information that is done in accordance with the APPs. 

- Unauthorised access - ‘Unauthorised access’ of personal information occurs when personal information that GMS has collected is accessed by someone who is not permitted to do so. This includes unauthorised access by those persons undertaking services for GMS as defined in the scope of this policy, as well as unauthorised access by an external third party (such as by hacking). 

- Unauthorised modification - ‘Unauthorised modification’ of personal information. GMS manages who can access what within our business computing environment. This is our way to limit access to a computing system which minimises the risk of unauthorised access to important information.  

- Unauthorised disclosure – ‘unauthorised disclosure’ occurs those persons undertaking services for GMS as defined in the scope of this policy: 

makes personal information accessible or visible to others outside the entity, and 

release that information from its effective control in a way that is not permitted by the Privacy Act. 

This includes an unauthorised disclosure by those persons undertaking services for GMS as defined in the scope of this policy. 

Data Retention 

GMS retains personal information only for as long as necessary to fulfill the purposes for which it was collected unless a longer retention period is required or permitted by law. GMS has established specific retention periods based on the type of personal information and the purposes for which it is processed. 

The criteria used to determine the retention period may include legal requirements, contractual obligations, and business needs.  

When personal information is no longer required and can be lawfully disposed of, GMS takes appropriate measures to securely destroy or permanently de-identify the information. This includes implementing secure data destruction practices in accordance with industry standards and best practices. 

Refer to the Data Retention and Disposal Policy. 

CYBER SECURITY  

GMS Cyber Checklist – protecting your information 

Cyber security is everyone’s responsibility at GMS. GMS is committed to continually apply cyber security measures at every level.  

Our internal processes and workforce are the last, and one of the most important lines of defense in protecting our business from cyber security threats. 

The below addresses how GMS secures the access to information, secures our business accounts, and conducts training on how to prevent, recognise and report cyber security incidents. 

Software considerations 

Automatically update our operating systems, software, and apps 

People and Procedures 

Those persons undertaking services for GMS as defined in the scope of this policy can be the first and last line of defense against cybercrime: 

GMS will: 

Manage who can access what within our business. 

Mandate regular training (including refresher training) in security basics. 

Provide and share instances occurred internally of potential phishing email and other instances of possible cyber infiltration to be aware of and share relevant article of cyber updates. 

Where Multi-factor authentication (MFA) is not possible, use passphrases to protect accounts and devices 

Enable MFA on important accounts wherever possible 

Regularly backup important data 

PRIVACY POLICY COMPLAINTS AND ENQUIRIES 

If you have any queries or complaints about our Privacy Policy, please contact us at: 

Grey Matta Solutions 

[email protected] 

0417 409 102 

Alternatively, please refer to our Complaints Management Policy.  

PRIVACY BREACH (internal) 

GMS will not tolerate any breaches of the standards and expectations as set out in this policy.  

Where a breach occurs, GMS will instigate an investigation under the GMS Disciplinary Action Procedure. 

REPORT AND RECOVERY – CYBER & PRIVACY INCIDENTS 

GMS takes cyber incidents seriously and reinforces the obligation for all those mentioned in the scope who are undertaking services for GMS to report incidents or suspected compromises both from internal and external threats immediately to the CEO GMS.  

GMS will manage such incidents in accordance with the Data Spill Management Guide. 

GMS is committed to protecting all information held by continually seeking ways to improve our security by accessing the most current information through the Australian Cyber Security Centre.